Is there any (recommended) way to use Linux Tentacles without giving the octopus user permanent sudo power without prompt?
I would like to avoid a user this way in Linux systems, even with the protection of public key.
Double purpose: No aditional Sudo accounts in the system, and the users deploying with Octopus cannot wreak havoc systems accidentally.
The recommended way to enable these commands to be run is to disable the password prompt for the user account used for deployments.
I’m thinking to give octopus deployments user, specific or selective power through sudoers file and ACLS, as manul-for-every-deploy way to avoid the two mentioned things.
Thank you for reaching out to us with your query about using sudo.
The documentation linked in your post is the recommended way to give Tentacles the ability to run sudo commands. You can indeed increase security by using more restrictive permissions as mentioned near the bottom of the page:
Be Selective with Permissions
Ideally your Octopus Deploy ssh endpoint should be configured with a special user solely for the purposes of running deployments. In this case you should consider configuring just that user’s sudo capabilities to be limited to those commands needed to execute the deployment scripts.
A good approach for this is to review the commands that the Tentacle needs to run in your deployment and to add only those to the sudoers file. The man page offers detailed information on how to achieve this and some good examples. There is also an easier to read example on the linked Stack Overflow question.
I hope this is helpful. Please get back to us if you have any questions.